University Urology P.C of Knoxville Tennessee informed patients of a data breach regarding their personal information. According to the practice, the information was limited to names and addresses and that no Social Security numbers, financial account information or clinical information was exposed.

According to a statment by the facility, an administrative assistant had compiled the data in an effort to sell it to a competing provider, helping them gain patient business. Patients contacted University Urology to let them know that the competing provider had been soliciting their business.

Information Source:
Media

records from this breach used in our total:
0

April 9, 2014

Clinical Reference LaboratoryLenexa, Kansas

MED

PHYS

Unknown

Clinical Reference Laboratory, Inc. notified individuals of a breach regarding their personal information. On or around February 6, 2014 Clinical Reference Laboratory (CRL) sent a packet of invoices via the United States Postal Service to Nationwide Insurance for services performed. The package was damaged when it arrived at the USPS facility and some of the invoice pages were missing.

The information in these missing pages included names, dates of birth, the last 4 digits of individuals Social Security number and the type of lab tests conducted.

The company has arranged a free one year subscription through Equifax Personal Solutions.

The San Francisco based Internet company has informed customers of a potential breach that may have occured in their system. The company sent notification out to customers noticing suspicious activity on their account and in turn locked their accounts and reset their passwords.

The company reported that the breach included only passwords.

Information Source:
California Attorney General

records from this breach used in our total:
0

April 7, 2014

American Express CompanyNew York, New York

BSF

CARD

Unknown

Amercian Express Company informed customers that their credit card information was recovered as part of an investigation by law enforcement agencies and/or American Express. The information reportedly only included the American Express Card account numbers, no Social Security numbers were impacted.

Those individuals who notice suspicious activity on their account are asked to call 1-855-693-22131-855-693-2213 to notify the company.

The company confirmed that on March 13, 2014 they suffered a cyberattack where hackers obtained usernames, passwords and credit card information for individuals who use the GovWin IQ system. Of the 80,000 individuals affected, 25,000 of those may have had credit card information breached.

Those individuals who did have credit card information affected, the company is offering a membership to TransUnion Monitoring services for free.

It has also been reported that authorities have already made an arrest in this case.

The recruiting site BigMoneyJobs.com has apparently been breached by a hacker that goes by the name of ProbablyOnion by exploiting an SQL Injection vulnerability. The details of over 36,000 users have been leaked online due to the breach.

The information included names, home addresses, phone numbers, emails and passwords of 36,802 users have been published in a Excel file. The information covers both individuals looking for a job and companies looking for talent.

Information Source:
Media

records from this breach used in our total:
0

April 3, 2014

Cole Taylor MortgagePortland , Oregon

BSF

DISC

Unknown

Cole Taylor Mortgage (a division of Cole Taylor Bank) informed customers of a data breach that occured due to an error by one of their third party vendors. Information was inadvertently made accessible to employees of another federally regulated bank.

The information included names, addresses, Social Security numbers, loan numbers and certain loan information. According to the mortage company, the breach was caused by a technical error by the vendor that provides them information technology services and solutions to both banks.

The company has established a dedicated toll-free hotline for those who were affected at 1-800-572-9809.

Information Source:
California Attorney General

records from this breach used in our total:
0

April 3, 2014

Central City ConcernPortland , Oregon

NGO

INSD

15

Central City Concern, a non-profit in Portland Oregon, notified individuals of a data breach that was perpetrated by an ex-employee of the agency. Federal law enforcement officers notified the non-profit that this former employee copied files from approximately 15 clients from its Access Center with the intention of filing fraudulent tax returns.

CCC began an investigation and has noted that this former employee may have accessed files from March 23, 2010 through May 24, 2013. The former employee stated to authorities that they had only copied 15 files. The non-profit has set up 12 months free monitoring through Experians ProtectMyID alert. Any questions for the agency, those affected are asked to call 1-866-778-1144 Monday through Friday 6:00 a.m to 6:00 p.m.

Kaiser Permanente's Northern California Division of Research informed research patients of a data breach to their system. The company discovered that a server was infected by a malicious software that caused a breakdown in the server's security barriers allowing the hackers to obtain personal information.

The information included firs names, last names, dates of birth, ages, genders, addresses, race/ethnicities, medical record numbers, lab results all associated with research provided by individuals as part of research studies.

Currently the company has stated that no Social Security numbers or their Kaiser electronic medical record information used for ongoing medical care was not affected.

Those affected with questions are asked to call 1-877-811-00191-877-811-0019 from 8 a.m to 6 p.m PDT Monday through Friday or the Department of Health and Human Services through the Office for Civil Rights at 1-800-368-10191-800-368-1019.

The personal data of over 158,000 Boxee.tv forum accounts were hacked and leaked online to a Tor Internet site and at least one researcher. The information included email addresses, birth dates, IP addresses, message histories, and password changes. It also included message archives and past password changes.

The company was purchased by Samsung last July.

Information Source:
Media

records from this breach used in our total:
0

April 2, 2014

California Correctional InstitutionTehachapi, California

GOV

PHYS

Unknown

On March 9, 2014 an employee roster was discovered within an unsecure desk drawer at one of the correctional facilities.

The roster included full names and the last 6 digits of Social Security numbers.

For those affected they are being directed to call Tim Fites, Information Security Coordinator at 1-661-823-5011.

Information Source:
California Attorney General

records from this breach used in our total:
0

March 28, 2014

Palomar HealthEscondido, California

MED

PORT

5,000 patients

Palomar Health in Escondido had a laptop stolen along with two flash drives from an employee's SUV. Approximately 5,000 patients were affected by the breach.

The flash drives contained patient names, dates of birth, information regarding individual diagnosis, individual treatment and insurance information. The computer was encrypted but the flash drives were not. The information dates back to 2008.

The Oceanside police have recovered the laptop and the missing flash drives, one person was arrested and a possible second suspect arrest may follow.

Those patients who may have been affected can reach the health care system for more information at 1-866-313-79931-866-313-7993. The company is offering credit monitoring services for those individuals whose medicare numbers were compromised.

Palomar could face a fine as high as $250,000 from the California Department of Health.

The information included last names, assigned medical record numbers, dates of birth, gestational ages, birth weights, dates of hospitalizations, and in some cases, transfer dates of children who were patients at Arnold Palmer Hospital for Children or Winnie Palmer Hospital for Women and Babies between 2009 and 2013.

Information Source:
Media

records from this breach used in our total:
0

March 27, 2014

The University of Wisconsin-ParksideKenosha, Wisconsin

EDU

HACK

15,000

Students were notified by officials from The University of Wisconsin-Parkside of a data breach that occured to their system by hackers that installed malware on one university server.

The information that is at risk includes names, addresses, telephone numbers, email addresses and Social Security numbers. The breach affects students who were either admitted or enrolled at the university since the fall of 2010.

The server was shut down and the hacking was reported to local authorities. After launching an investigation it appears the malware was searching for credit card information and they show no evidence that any Social Security numbers were compromised.

On March 7 it was discovered that there was an unauthorized access to Sorenson Communications employee data via the payroll vendor utilized for both Sorenson Communications and CaptionCall employees. The personal information breached includes both the employee, beneficiaries, dependents, and emergency contacts, or anyone listed in the employees HR account with the company.

The information includes names, dates of birth, addresses, Sorenson income histories, Social Security Numbers, W-2 information, and emergency contact data and appeared to have happened between February 20, 2014 through March 3, 2014.

The FBI has been contacted and is investigating the breach. An email was sent to all those affected on March 11th with instructions on how to enroll in the company-provided credit monitoring services. If an email was not received they are requesting those individuals contact the Human Resources Department at hrsupport@sorenson.com to obtain the information.

Information Source:
California Attorney General

records from this breach used in our total:
0

March 25, 2014

University of Kentucky HealthCare/TalystLexington, Kentucky

MED

PORT

1,079

UK Healthcare is notifying 1,079 patients that a laptop with their personal health information was stolen on February 4, 2014 from Talyst, a third party pharmacy billing management company.

American Express sent out notification to cardholders regarding unauthorized activity on their cards from unnamed merchants. American Express has stated that names, card account numbers and expiration dates of cards could have been affected. At this time they have stated that no Social Security numbers have been affected.

American Express has placed a fraud alert on their cardholders credit reports. For those affected they are to call 1-800-297-7672 for identity theft assistance or email www.americanexpress.com/idtheftassistance.

Information Source:
California Attorney General

records from this breach used in our total:
0

March 22, 2014

California DMVSacramento , California

GOV

HACK

Unknown

The California DMV is investigating a potential data breach of their credit card processing systems. Reportedly several large financial institutions received private alerts this week from MasterCard about compromised cards used for charges.

As reported by Krebs on Security, "the alert, sent privately by MasterCard to financial institutions this week, did not name the breached entity but said the organization n question experienced a "card-not-present" breach-industry speak for transactin conducted online. The alert further stated that the date range of the potentially compromised transactions extended from August 2, 2013 to January 31, 2014, and that the data stolen included the card number, expiration date, and three-digit security code printed on the back of cards".

Krebs contacted 5 different financial institutions, two mid-sized California banks and "confirmed receipt of the MasterCard notice, and said that all of the cars MasterCard alerted them about as cmopromised had been used for charges bering the notation "STATE OF CALIF DMV INT."

The DMV, who originally stated they would investigate, put out a statement at 6:44 Eastern Time on March 22, 2014, placing blame on the the third party credit card processing company.

The total amount of individuals potentially affected at this time is unknown. KrebsOnSecurity stated that they had received a list of more than 1,000 cards, from one bank, that were potentially exposed that included credit card numbers, expiration dates and three-digit security codes printed on the back.

The unauthorized access may have compromised payment card data of visitors who used their cards for payment of items at the wine shop tasting room. Information compromised included names, addresses, payment card account numbers, card expiration dates and security codes.

The company is offering a complimentary one year membership of Experian ProtectMyID Alert. For those affected and wish to enroll in the services they are asked to call 1-310-899-8903.

Information Source:
California Attorney General

records from this breach used in our total:
0

March 21, 2014

San Francisco Department of Public Health/Sutherland Healthcare SolutionsSan Francisco, California

MED

STAT

Unknown

San Francisco Health Network/San Francisco Department of Public Health has notified patients that their information may have been compromised as well, due to the recent theft of computers at Sutherland Healthcare Solutions. Sutherland is the third party billing company for the San Francisco Department of Public Health.

The information contained in the stolen computers included names, dates of birth, Social Security numbers, dates and location of services and names of insurance companies or payers.

The agency is providing one year of ID Experts. Anyone who was affected is encouraged to contact ID Experts with any questions and to enroll in the service by calling 1-866-486-4809 or by going to their website www.myidcare.com/idexpertshealthcareprotection. Documentation was sent to the affected parties that provided steps for enrollment and an access code for entry. Deadline to enroll is July 31, 2014

Information Source:
California Attorney General

records from this breach used in our total:
0

March 20, 2014

Marian Regional Medical CenterSanta Maria, California

MED

DISC

Unknown

Marian Regional Medical Centers (Santa Maria and Arroyo Grande Campuses) notified patients of a data breach. A secured electronic file containing patients information was sent to a contracted health insurance plan in error. The health insurance plan notified the company immediately that they received the email in error.

The file included names, addresses, types of insurance, dates of birth, dates of service, types of laboratory tests and test results for dates of service between March 1 and March 6, 2014. The company has stated that the Social Security number was not included in the electronic file.

For those affected the company has asked questions or concerns to be directed to a toll free number 1-877-906-16031-877-906-1603.

Auburn University notified individuals of a compromised server within the College of Business network. This incident could have resulted in unauthorized access to personal information including Social Security numbers and names. The investigation is ongoing and the University has reportedly patched the vulnerability in their system.

They have no evidence as of yet if any information was accessed or misused in any way. The University is offering a one year complimentary membership of Experian's ProtectMyID Alert. For questions or concerns, affected parties should call 1-877-371-7902.

Information Source:
Vermont Attorney General

records from this breach used in our total:
0

March 18, 2014

Hickory Grove Gas StationVincent, Ohio

BSR

HACK

100 reported, could go as high as 300

A local area gas station in Vincent Ohio off of Ohio 339 has a credit card breach and those affected are customers who recently used either debit or credit cards at the gas station. So far 100 people have reported fraudulent charges on their account that dates back to at least a month ago. Reports are saying that the number could go as high as 300 victims.

It appears hackers infiltrated the network that gas station and grocery store uses. The breach could have also potentially happened through the Kentucky-based credit card processing company they use. They have stopped accepting any credit or debit cards until a full investigation is completed.

Those who think they have been victimized are asked to call the Vincent Ohio Sheriffs Department.

Information Source:
Media

records from this breach used in our total:
100

March 18, 2014

Yellowstone Boys and Girls Ranch (YBGR)Billings, Montana

MED

PHYS

Unknown

The Yellowstone Boys and Girls Ranch which treats mental health issues for children and teens reported that a binder was lost or destroyed sometime in 2013. The binder contained information that included names, addresses, dates of birth, parents' names, programs and treatment professionals' information. They have stated that no financial or Social Security information was stored in this binder.

Information Source:
Health IT Security

records from this breach used in our total:
0

March 18, 2014

The Shelburne Country StoreShelburne, Vermont

BSR

HACK

Unknown

The Shelburne Country Store notified customers of a computer hack to their payment processing system, similar to reported attackes by other national retailers such as Target and Neiman Marcus.

The information compromised included names, addresses, credit or debit card numbers, expiration dates and verfication codes. They believe the breach occured between November 13, 2013 and January 6, 2014. They are unclear as to how many purchases were affected.

The company has set up AllClear ID protect your identity for 12 months at no cost to those affected. They can either email support@allclearid.com or call 1-855-434-8077.

Information Source:
Vermont Attorney General

records from this breach used in our total:
0

March 18, 2014

IRS, Pennsylvania

GOV

INSD

20,000

A former emloyee of the IRS took home a computer thumb drive that contained personal information on 20,000 current and former employees and contractors. The information included Social Security numbers, names and addresses. The thumb drive was plugged into the employees unsecured network, which could have left the information vulnerable.

This incidence dates back to 2007 before the IRS stared using automatic encryption. The IRS will not comment why they did not discover this breach until now, or if the employee who used the thumb drive is still working at the IRS.

Information Source:
Media

records from this breach used in our total:
20,000

March 17, 2014

Service Coordination Inc.Frederick, Maryland

MED

HACK

9,700

Hackers infiltrated the computers of a state-licensed provider of services to developmentally disabled individuals. The information stolen included Social Security numbers and medical information for approximately 9,700 clients.

The non-profit learned of breach in late October 2013. The U.S Justice Department asked the non-profit organization to delay notification of the breach to allow for a federal investigation.

The investigation did lead to the alleged hacker and their equipment and accounts have been seized.

"Service Coordination is one of five private organizations licensed by the state's Developmental Disabilities Administration, an agency of the Maryland Department of Health and Mental Hygiene."

Information Source:
Media

records from this breach used in our total:
9,700

March 17, 2014

Arcadia Home Care and StaffingSouthfield, Michigan

MED

INSD

Unknown

Arcadia Home Care/Arcadia Health Services, Inc. notified employess of unauthorized access of their files by an independent contractor for Arcadia by the name of Charles E. Symes, II and his new business Alegre. Mr. Symes was previously authorized to use Arcadia's database, which contained personal information, but only for authorized purposes and access.

Elightbulbs.com is in a series of companies who have had security breaches due to exposure of ColdFusion weaknesses. The online company was contacted by Discover card alerting them to a pattern of fraudulent activity on cards that were recently used at their store. This is a similar incident to what happened with Smucker's. ELightbulbs.com was listed in the ColdFusion botnet panel.

The Vice President of the company, Paul McLellan said "he first learned of the breach on November 7, 2013 from his company's processor, Heartland Payment Systems". He also stated that "shortly before we were told by Heartland, we paid $6,000 a year for a company to brutalize our server, for protection and peace of mind. Turns out this flaw had existed for two years and they never saw it."

The FBI has stated that group responsible for the attack have also compromised much higher-profile targets as well.

Information Source:
Media

records from this breach used in our total:
0

March 17, 2014

Kichlerlightinglights.comNew York, New York

BSR

HACK

Unknown

KichlerLightingLights is another victim of the ColdFusion botnet. The company's owner Gary Fitterman stated "It was like being attacked by terrorists. When we learned what had happened, we immediately went into frenzy, spent a ton of money to get forensic experts to take a look."

The hacking gang used vunerabilities in Adobe's ColdFusion to build a botnet of hacked ecommerce sites, designed to bilk the customers credit card data, KichlerLightingLights was just another one of the ecommerce sites affected.

The various companies that have been affected all handled credit card processing on their site. Mr. Fitterman has now outsourced all of his credit card processing transactions to a third party company.

Experts state that if you run your own credit card processing you must be diligent about software updates.

SCI,in a letter provided to WBAL News, indicates that its computers
were hacked between October 20th and October 30th and that access was
gained to confidential information.

That potentially includes names, social security numbers, medical
assistance numbers, and other vital information, some shared with the
Maryland Developmental Disabilities Administration".

Information Source:
PHIPrivacy.net

records from this breach used in our total:
14,000

March 14, 2014

Health Source of OhioMilford , Ohio

MED

PHYS

8,800

Health Source of Ohio reported a breach of patients' personal information when a file containing specific data was accidentally made visible online. According to authorities the file was viewed 47 times.

The file included names, account numbers, addresses, phone numbers, Social Security numbers, birthdates, credit card numbers and limited healthcare information. According to the center not all patients information included financial or Social Security numbers. A specific number was not provided of the 8,800, who may have suffered a breach of their financial information or SSN.

Patients who were affected are advised to contact HSO at 1-800-495-7647

Information Source:
Media

records from this breach used in our total:
8,800

March 13, 2014

Silversage AdvisorsIrvine, California

BSF

PORT

Unknown

On February 20, 2014 Silversage Advisors notified customers of a theft of back-up computer drives from a secure offsite location used as part of the company's disaster recovery plan. The drives contained names, addresses, Social Security numbers, driver's license numbers and account information.

The company is providing one year of Breach Protector credit monitoring and identity theft restoration coverage. For those affected with question they are to call 1-888-969-7500.

Information Source:
California Attorney General

records from this breach used in our total:
0

March 13, 2014

Detroit Medical Center-Harper University HospitalDetroit, Michigan

MED

INSD

1,087

A former Detroit Medical Center-Harper University Hospital employee was found with the personal information of 1,087 patients by West Bloomfield police. The documents included patients health information, names, dates of birth, reasons for patient visits and Social Security numbers.

When the hospital learned of the breach they immediately revoked the employee's access to its computer systems and all of the Detroit Medical Center hospitals.

For patients that were affected they can call 1-855-830-9731 with questions.

Information Source:
Media

records from this breach used in our total:
1,087

March 12, 2014

UCSF Family Medicine Center at LakeshoreSan Francisco, California

MED

STAT

9,986

UCSF Family Medicine Center at Lakeshore notified patients of a theft of desktop computers that were unencrypted on or around January 11, 2014. An immediate analysis of what information the computers obtained. On March 6, 2014 UCSF determined that some of the computers stolen contained Social Security numbers, names, dates of birth and medical record numbers, some only contained names, medical record numbers and health information.

Those who were affected were asked to contact UCSF/ID Experts by calling 1-888-236-02991-888-236-0299 Monday through Friday from 6 a.m to 6 p.m Pacific time. When calling individuals are asked to used Access Code: 59832

UPDATE (3/20.2014): The University of California at San Francisco is notifying 9,986 individuals who had information on the computers that were stolen from the UCSF Family Medicine Center at Lakeshore. The computers included information such as names, dates of birth, mailing addresses, medical record numbers, health insurance ID numbers and driver's license numbers. Of the 9,986 files, 125 of them also included Social Security Numbers. Credit monitoring is being offered to those whose Social Security numbers were affected.

As reported by Krebs On Security, for the second time since August 2013, the "online retailer NoMoreRack.com has hired a computer forensics team after being notified by Discover about a potential breach of customer card data."

The Director of Business Development with company, Vishal Agarwal, has confirmed that they were approached by Discover Card in August of 2013, communicating that they were seeing fraudulent activity and the online retailer was the point of compromise.

As stated by Mr. Agarwal "they requested then that we go through a forensics audit, and we did that late October by engaging with Trustwave. Trustwave came out wtih a report at end of October saying there was no clear cut evidence that our systems had been compromised. There were a few minor bugs reported, but not conclusive evidence of anything that caused a leakage in our systems."

Discover reached out the company again in February to notify them that there was additional evidence of fraud associated with their online store from November 1, 2013 through January 15, 2014.

The company has again engaged Trustwave to complete another forensic audit and to also confirm that they are PCI compliant.

Information Source:
Media

records from this breach used in our total:
0

March 11, 2014

City of HopeDuarte, California

MED

STAT

Uknown

The City of Hope was informed by one of their vedors, Sutherland Healthcare Solutions, Inc. regarding a burglary that happened in one of their offices, where the thieves stole eight of their computers. Two of the computers contained City of Hope patient and patient guarantor information. Both computers were password protected. Sutherland Healthcare Solutions provides billing services for the City of Hope, who has since suspended their relationship with Sutherland.

The information on the computers contained Social Security numbers, names, addresses, phone numbers, medical record numbers, account numbers and/or diagnoses. Law enforcement is currently investigating the incident.

The City of Hope has secured the services of Kroll, a risk mitigation company, to provide identity theft protection at no cost for one year for those who may have been affected.

Information Source:
California Attorney General

records from this breach used in our total:
0

March 11, 2014

Cornerstone Health CareHight Point, North Carolina

MED

PORT

548

Cornerstone Health Care reported a laptop containing information for 548 patients was stolen from Cornerstone Neurology sometime between December 31, 2013 and January 6, 2014.

The laptop contained protected health information such as patient names, dates of birth, physician names and nerve conduction scan summaries. The laptop did not contain any addresses, billing information, or Social Security numbers. The laptop was not connected to their third party billing company or their electronic health records.

Since the theft the medical practice has revised its procedures and policies, retrained the staff on securing patient information and replaced locks on rooms with electronic medical devices.

Information Source:
Media

records from this breach used in our total:
0

March 11, 2014

Emory Dialysis Center, part of Emory ClinicAtlanta, Georgia

MED

PORT

826

An employee of Emory Dialysis Center, notified the center that his work laptop had been stolen out of his car on February 7, 2014.

The laptop was protected by a password but was not encrypted. The laptop contained information for 826 patients which included dates of services, blood flow test graphs, first and last names for approximately half of the patients, the rest were the patients initials. They center has stated that the laptop did not contain dates of birth, addresses, billing information or Social Security numbers.

HSM (Health Systems Management) who runs the clinic is now password protecting all laptops and encrypting patient information.

Information Source:
Media

records from this breach used in our total:
0

March 10, 2014

StatistaNew York, New York

BSO

HACK

50,000

Online statistics portal, Statista, notified customers of a data breach that occurred with their system. The breach was noticed when the company internally started receiving spam emails. The company investigated and approximately 50,000 of its customers username and password combination were compromised.

The company has not said whether or not the breach goes beyond access to username and passwords, but at present, this seems to be all that has been affected.

The company notified users almost immediately and assured them that the compromised passwords "cannot be used by third parties due to masking procedures". The company did not encourage customers to change their passwords.

Experts are questioning how secure the passwords are for those that created accounts prior to December 2013 and have stated that "the passwords of those who signed up before this data were stored in the Statista database as MD5 hashes. As many experts will tell you, MD5 passwords can be easily cracked".

The main risk for those affected would be a higher incidence of spam and phishing emails, potentially impersonating Statista.

Information Source:
Media

records from this breach used in our total:
0

March 7, 2014

John Hopkins UniversityBaltimore, Maryland

EDU

HACK

1,307

University officials at John Hopkins University announced a data breach of their Department of Biomedical Engineering's Design Team course web server. A hacker claiming to be part of the group Anonymous claimed credit for the hack.

The hackers made an attempt to extort the university out of server passwords, but the university did not comply with the request.

Officials at the university said that the server did not contain Social Security numbers, birth dates, credit card numbers or any financial data. The data the server did contain included employee data that is publicly available from the department's website. Those affected include any students from the BME department who were enrolled in the course from 2006 to this past fall. Approximately 1,307 individuals may have been affected.

There was a coding error that left the database vunerable was identified and fixed but not prior to the hackers infiltrating the system. The server was primarily used to produce the BME department's website. Although the breach happened late last year, it was not realized until someone posted on Twitter in January that the server was open to attack.

Information Source:
Media

records from this breach used in our total:
0

March 6, 2014

North Dakota UniversityBismarck, North Dakota

EDU

HACK

290,780

North Dakota University System has notified individuals of a security breach of a computer server that stores personal information on students, staff and faculty.

On February 7, 2014 the server was hacked into and more than 209,000 current and former students and 780 faculty and staff had personal information stored on thus server that included names and Social Security numbers according to Larry Skogen, the Interim Chancellor.

The university has notified officials and has set up a website www.ndus.edu/data with information and is organizing a call center for questions from those who were affected.

Authorities have announced that "an entity operating outside the Unites States apparently used the server as a launching pad to attack other computers, possibly accessing outside accounts to send phishing emails"

On February 5, 2014 Sutherland Healthcare Solutions, which provides patient billing and collection services for Los Angeles County was broken into and computers were stolen. Information that was stored on these computers included first and last names, Social Security numbers, billing information, dates of birth, addresses, diagnoses and other medical information.

Currently the breach is being investigated by authorities and the agency is offering credit monitoring services through ID Experts free for 12 months. To enroll in the free services by calling 1-877-868-92841-877-868-9284 or going to www.myidcare.com/securityandprotection.

UPDATE (3/7/2014): The Los Angeles County Department of Health and Human Services (DHS) announced recently that they will be notifying 168,000 patients of a data breach at Sutherland Healthcare Solutions. When originally reported the number of patients was not divulged.

UPDATE (5.27.2014): The Los Angeles County Department of Supervisors voted on Tuesday to tighten and add current requirements for county computers and hard drives. Currently, all laptops are required to be encrypted and the vote on Tuesday now extends that requirement to all
county departments’ computer workstation hard drives as well. They also voted to have "all County-contracted agencies that exchange personally identifiable
information and protected health information data with the County" be encrypted as a requirement for any contract.

As reported by Krebs on Security, it appears that Sally Beauty Supply may be one of the latest victims of a string of credit card data breaches affecting their payment systems.

"On March 2, a fresh batch of 282,000 stolen credit and debit cards went on sale in a popular underground crime store. Three different banks contacted by KrebsOnSecurity made targeted purchases from this store, buying back cards they had previously issued to customers".

The banks used a "common point of purchase" or "CPP" to determine where the cards were used over the same period of time. "Each bank independently reported that all of the cards (15 in total) had been used within the last ten days at Sally Beauty Supply locations across the United States".

The company had also detected some kind of intrusion into their network at or around the same time that the stolen card mapping or "CPP" dates that the banks found associated with Sally Beauty Supply. The company's initial investigation did not show any evidence that data was compromised at the store level. The company hired Verizon Enterprise Solutions for the initial and continued investigation.

UPDATE (3-17-2014): Sally Beauty has confirmed that the breach they suffered was due to hackers breaking into their network, stealing credit card data from stores. Originally the retailer would not confirm that they suffered a breach as they had no evidence that any credit card data was stolen. The company confirmed that "fewer than 25,000 records containing card present (track 2) payment card data have been illegally accessed on our systems and we believe have been removed." The company also states " As experience has shown in prior data security incidents at other companies, it is difficult to ascertain with certainty the scope of a data security breach/incident prior to the completion of a comprehensive forensic investigation. As a result, we will not speculate as to the scope or nature of the data security breach."

Information Source:
Media

records from this breach used in our total:
25,000

March 5, 2014

OANDANew York, New York

BSF

HACK

Unknown

OANDA informed customers of an unauthorized breach affecting some of their clients. On Monday March 3, 2014 a historical log of some payments received via PayPal (prior to 2007) was accessed. The company states that the incident did not impact any fxTrade services, client trades or funds.

The information accessed included named and email addresses. The company states that usernames or passwords for thier "fxPense" expense reporting tool may have been accessed. These accounts are not related to fxTrade. They are asking customers who registered for this service and use the same username and password on any other external websites, to change those passwords.

Upon learning of the breach, the company shut down access to the system and alerted the FBI, their regulators and relevant privacy offices of the breach.

On Wednesday March 5, 2014 Point Park University in Pittsburgh Pennsylvania notified employees of a possible data breach that included names, home addresses, Social Security numbers, wage information, birthdates, bank accounts and routing numbers.

The Point Park President stated that as many as 1,800 employees could have been affected by this breach.

"The university was expecting a package from its payroll processing vendor Ceridian, but when the package arrived to campus it was missing all of the accompanying reports, according to an internal email obtained by the Pittsburgh Post-Gazette."

The university is working with authorities and an investigation has been launched. The law firm that represents the university is currently putting a letter together to those who were affected that will include call-center information and other services offered.

The hackers utilized a sophisticated malware that steals information from Web server applications. This particular malware obtains form data submitted by visitors as customers entered the data for the online checkout process.

These particular hackers look for weaknesses in either the end-users computer or weakensses in the Web server. If there is a weakenss in either one, that web session then becomes compromised and the hackers "suck down customer data post or pre-encryption (this all depends on whether the data was incoming or outgoing)".

KrebsOnSecurity noted "when a reader first directed my attention to the Smucker's breach notice, I immediately recalled seeing the cmopany's name among a list of targets picked last year by a criminal hacking group that plundered sites running outdated, vulnerable versions of ColdFusion, a Web applicatoin platform made by Adobe Systems Inc".

Information Source:
Media

records from this breach used in our total:
0

March 4, 2014

Eureka Internal MedicineEureka, California

MED

PHYS

Unknown

Eureka Internal Medicine has notified patients of a potential security breach. It was discovered from September 25, 2013 until around October 9, 2013 that their janitorial service was mixing paper recycling containing patient information with the regular trash vs. moving it to the locked shredding bin.

As a result, the paper containing patient information ended up in the regular trash which was picked up and disposed of by the waste management company vs. being secured in the locked bin for pick up for secure shredding.

Information that may have been in the regular trash bins could have included full names of patients, Social Security numbers, insurance plan information and medical information.

Anyone who is potentially affected by the breach and has questions may call the representing attorney's office at 1-888-233-2305.

Information Source:
California Attorney General

records from this breach used in our total:
0

March 4, 2014

Assisted Living Concepts, LLCChicago, Illinois

MED

HACK

Unknown

Assisted Living Concepts LLC has notified current and former employees of a potential data breach regarding their payroll records and an unauthorized third party access of this data.

Assisted Living Concepts utilizes an external vendor that provides them with payroll services. On February 14, 2014, the payroll vendor notified the facility of evidence of unauthorized third party access to their payroll information.

The company launched an investigation and discovered evidence of this unauthorized access that obtained access to their vendor user credentials and access to the vendor's systems, which contained payroll files for current and former employees.

The FBI and IRS have advised the company that they believe the personal information accessed may be used by criminals to file faudulent tax reutrns. The IRS is encouraging anyone who might have been affected by this unauthorized access file their tax return as soon as possible. Those affected can also call the IRS Identity Protection Specialized Unit at 1-800-908-44901-800-908-4490 with any questions.

Capital One has sent notification to customers regarding a possible breach to their personal information. They discovered that a former employee of the company may have improperly accessed customer accounts, which could have been linked to unauthorized transactions.

The information accessed included names, account numbers, SOcial SEcurity numbers, payment information and other account information. The credit card company has notified law enforcement of the breach.

The company is also offering one year of Equifax's Credit Watch GOld with 3-in-1 Monitoring by February 28, 2014 for those that may have been affected.

Information Source:
Vermont Attorney General

records from this breach used in our total:
0

Breach Total

816,044,756 RECORDS BREACHED(Please see explanation about this total.)from 4,506 DATA BREACHES made public since 2005